Hash: SHA256
CA20201116-01: Security Notice for CA Unified Infrastructure Management
Issued: November 16th, 2020
Last Updated: November 16th, 2020
CA Technologies, A Broadcom Company, is alerting customers to
a
vulnerability in CA Unified Infrastructure Management. A
vulnerability
exists that can allow a local attacker to elevate privileges.
CA
published solutions to address this vulnerability and recommends
that
all affected customers implement these solutions.
The vulnerability, CVE-2020-28421, occurs due to improper
access
control. A local attacker can potentially elevate privileges.
Risk Rating
CVE-2020-28421 - High
Platform(s)
Microsoft Windows
Affected Products
CA Unified Infrastructure Management 20.1
CA Unified Infrastructure Management 9.2.0
CA Unified Infrastructure Management 9.1.0
CA Unified Infrastructure Management 9.0.2
Note: older, unsupported versions may be affected
Affected Components
The applicable component is robot (also known as
controller).
Affected robot versions:
before 7.97HF11
before 9.20HF20
before 9.20SHF20 (secure)
before 9.30HF4
before 9.30SHF4 (secure)
Non-Affected Products
CA Unified Infrastructure Management 20.3
Non-Affected Components
Non-affected robot versions:
7.97HF11 or later
9.20HF20 or later
9.20SHF20 (secure) or later
9.30HF4 or later
9.30SHF4 (secure) or later
How to determine if the installation is affected
Check for the controller version in Infrastructure Manager or
Admin
Console. If the version is lower than 7.97HF11 for UIM 9.0.2,
9.20HF20 or 9.20SHF20 for UIM 9.2.0, 9.30HF4 or 9.30SHF4 for UIM
20.1,
then it is affected.
Solution
CA Technologies published the following solutions to address
the
vulnerabilities:
robot_update patches 7.97HF11 (or above), 9.20HF20 (or above)
and
9.30HF4 (or above).
robot_update_secure patches 9.20SHF20 (or above) and 9.30SHF4 (or above).
Note: UIM 8.5.1 users must upgrade robot to 7.97HF11. UIM
9.1.0 users must upgrade robot to 9.20HF20 (or above).
Hotfixes are available at:
https://support.broadcom.com/external/content/release-announcements/CA-Unif
ied-Infrastructure-Management-Hotfix-Index/7233
References
CVE-2020-28421 – CA UIM improper access control privilege elevation
Acknowledgement
CVE-2020-28421 – Fabius Artrel
Change History
Version 1.0: 2020-11-16 - Initial Release
CA customers may receive product alerts and advisories by
subscribing
to Proactive Notifications on the support site.
Customers who require additional information about this notice
may
contact CA Technologies Support at
https://support.broadcom.com/
To report a suspected vulnerability in a CA Technologies
product,
please send a summary to the CA Technologies Product
Vulnerability
Response Team at ca.psirt <AT> broadcom.com
Security Notices, PGP key, disclosure policy, and related
guidance can
be found at:
https://support.broadcom.com/external/content/security-advisories/CA-Produc
t-Vulnerability-Response-Team-Contact-Information/1867
Regards,
Ken Williams
Vulnerability and Incident Response, CA PSIRT
https://techdocs.broadcom.com/ca-psirt
Broadcom | broadcom.com | Kansas City, Missouri, USA
ken.williams <AT> broadcom.com | ca.psirt <AT>
broadcom.com
Copyright (c) 2020 Broadcom. All Rights Reserved. The term
"Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the
pulse
logo, Connecting everything, CA Technologies and the CA
technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names,
service marks and logos referenced herein belong to their
respective
companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8
wsBVAwUBX7hE93DWZsOpNI4OAQiAcAgAqvsNL9t+DI5bO8q0/0vqjyqv/YHX66eU
NJx/MPaR0+iFZiNHr54KjD76+Pj+Fp4RsfCU0DNrk6DbrNp4K9wZFdinOLBVqg92
UoEjm5iGJwfiML2A1cL7+OSVU6eLJ7EuagbM4QKksLiCp4cqvZiEc8KrafGaw6Cg
8KSgcVz1uLtwH+Nek5D+fKwQkwNHnFFCINFniyy/nhVHZyKeUpxBa0h9Kjse1P2g
3bdcST3AzoasFWp8j/mGQ7qmzNtFCoUjNIG5wbksfrJdyJr1tILLpWaz2g7VXwL4
UYaBnRSrhsnkwdlX8VgP1Yq8ZGAzzI/7s+XAES14Ldhlh7M61SM0Vw==
=f9//
-----END PGP SIGNATURE-----
Read more https://packetstormsecurity.com/files/160165/CA20201116-01.txt
